ietf-asrg
[Top] [All Lists]

Re: [Asrg] Consent Proposal

2003-07-01 16:58:38
On Tue, Jul 01, 2003 at 10:54:46PM +0100, Danny Angus wrote:
We can look outside the domain of mail to find workable examples of trust,
PGP and SSL both make provision for the inclusion of out-of-channel trust
verification. I suppose in this situation it is whom you choose to inherit
trust from, and ultimately your trusted root trust providers.

I don't think so.

WebSites use SSL because every newspaper told Joe User that a server
without SSL is insecure and steals your credit card number. However
there are lots of Root CAs with different pricing and different
policies and to be honest I don't trust any of them getting it right.
So the Joe Users get tricked but I don't think any of the more
technically oriented gets really trust from a SSL CERT.
Thawte for example tries to trick them even more. Go to http://www.thawte.com/
and check the "SiteSeal". You can plug an image on your website that
should tell the visitor that this is a kewl secure site. They do a lot
of technical stuff and Javascript to make it as sure as possible for
spoofing, but Joe User only sees an image and he won't even understand
the technic involved. So I copy a image over and now my site is also
real kewl save and protected and no Joe User will ever notice it's a fake.
Joe User will stop looking at the browsers security info page that gives
the REAL security information but look at yet another picture and will
be tricked into a not existing security.

For PGP they create a "web of trust".
Guess what happens if I get your public key from a keyserver. Then I
create 200 fake certificates and sign your key and after that I revoke
the signs and submit it back to the keyserver. Who do you think will
trust your key any longer?

There is no such thing as established working "trust" mechanisms in the
Internet of today (IMHO!!) They all fail miserably as early as because of
non existant working revocation spreading mechanisms. If I get a CERT
from Verisign for 2 years and they revoke it after one year, who do you
think will notice that? With their security breach some months ago
antivirus producers added the falsly issued certs to their antigenes
so that the end user has at least a very little chance to notice abuse.

        \Maex

-- 
SpaceNet AG            | Joseph-Dollinger-Bogen 14 | Fon: +49 (89) 32356-0
Research & Development |       D-80807 Muenchen    | Fax: +49 (89) 32356-299
"The security, stability and reliability of a computer system is reciprocally
 proportional to the amount of vacuity between the ears of the admin"

_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg



<Prev in Thread] Current Thread [Next in Thread>